Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Earthstation 5 Claimed to be Malware

Posted by michael on Fri Oct 03, 2003 09:29 AM
from the compiled dept.
Security The Internet
Rob from RPI writes "You may remember the announcement about a company, or program, or both called Earthstation 5 who recently 'Declared War' on the MPAA. Well guess what? Turns out that it's got code in it that allows anyone to delete any file on your computer. I suggest that you un-install as soon as possible!"
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Earthstation 5 Claimed to be Malware 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Geocites eh? (Score:5, Informative)

    by Anonymous Coward on Friday October 03 2003, @09:31AM (#7123616)

    Because the link is on geocities it's sure to be /.'d in 23 milliseconds. Here is a mirror I put up with the bin and src. [grub.net]
    Don't trust code from sources you don't know. I only provide these for the inevitable geocities /.ing

  • Not surprising (Score:3, Funny)

    by aacool (700143) <aacoolNO@SPAMhotmail.com> on Friday October 03 2003, @09:32AM (#7123632) Homepage Journal
    This isnt surprising - the slashdot rage/paranoia/humor when Earthstation 5 was announced was palpable.


    Just goes to show you can't trust anyone but the RIAA for f'air and balanced info-warfare:)

  • This is absolutely shocking. (Score:5, Funny)

    by Ygorl (688307) on Friday October 03 2003, @09:32AM (#7123636)
    Really, I mean it. From looking at their web site one would have thought they were totally legitimate!

    • Earthstation 5 is a GODSEND (Score:5, Funny)

      by 0x0d0a (568518) on Friday October 03 2003, @10:00AM (#7123953) Journal
      People need to stop trashing Earthstation 5. It's a fantastic program, and does exactly as advertised. Plus, it seems to have built-in compression software -- my free disk space has been steadily increasing ever since I installed it!

  • I don't have to uninstall... (Score:3, Funny)

    by BlackBolt (595616) on Friday October 03 2003, @09:33AM (#7123641) Homepage Journal
    It deleted itself.

  • Well yeah.. (Score:5, Insightful)

    by Anonymous Coward on Friday October 03 2003, @09:33AM (#7123647)
    A P2P service that ACTIVELY PROMOTES piracy? It sounded too good to be true, and it was. All of this wonderful information from some schmoe with an email @yahoo.com? This whole deal is shady, no matter how you look at it.

  • Earth Station 5 - legalese (Score:5, Funny)

    by Stalyx (633692) on Friday October 03 2003, @09:34AM (#7123654)
    And in other news when Reuter's contacted Earth Station 5's lead programmer, he had apparently mumbled under his breath.. "its not a bug damnit!, it's a feature"

  • Tinfoil alarm! (Score:4, Insightful)

    by sebi (152185) on Friday October 03 2003, @09:34AM (#7123656)
    Wouldn't that be just the cleverest act of terrorism you can think of? Bait the "foreign devils" with all you hate about them and then, BAM!, nuke millions of computers in an instant. Takes more preparation to get off the ground than your garden variety virus or worm but the pay-off is much greater, isn't it? And if I was living in Palestine threat of legal action by some American interest group would be the least of my worries.

    • Re:Tinfoil alarm! (Score:5, Insightful)

      by cybermace5 (446439) <g.ryan@macetech.com> on Friday October 03 2003, @09:59AM (#7123933) Homepage Journal
      I realize that perhaps, to many of you, computers and the Internet is Life Itself. However, a massive computer mixup is NOT a disaster on the scale of WTC or some other event causing major casualties.

      I just get annoyed when I hear a computer attack referred to as an effective terrorist strategy. I certainly could survive if my computer didn't turn on today; no terror here, just kind of disappointment. Perhaps something like this could be called a "bummer. oh well" attack.
      • realize that perhaps, to many of you, computers and the Internet is Life Itself. However, a massive computer mixup is NOT a disaster on the scale of WTC or some other event causing major casualties. I just get annoyed when I hear a computer attack referred to as an effective terrorist strategy. I certainly could survive if my computer didn't turn on today; no terror here, just kind of disappointment. Perhaps something like this could be called a "bummer. oh well" attack.

        Nobody really cares if you can

      • Oh God not again... (Score:5, Funny)

        by Theatetus (521747) on Friday October 03 2003, @11:50AM (#7125090) Journal

        Can someone please please PLEASE write a filter that excludes threads that mention the words "Israel" or "Palestine" more than once each?

        Here, guys, stop arguing. I'll make all of your arguments for you:

        Pro-Palestinian guy: Israel is guilty of $ATROCITY1, $ATROCITY2, and $ATROCITY3

        Pro-Israel guy: Surely you're not comparing things like $ATROCITY2 to $ATROCITY4, $ATROCITY5, and $ATROCITY6, which were committed by Palestinians

        Pro-Palestinian guy: Oh come on! $ATROCITY6 wasn't nearly as bad as $ATROCITY3! Besides, they only did it because of $ATROCITY3! If Israel had never committed $ATROCITY3 then the Palestinians wouldn't have had to have committed $ATROCITY6!

        Pro-Israel guy: but the Israels only committed $ATROCITY3 as a defensive measure because the Palestinians committed $ATROCITY7!

        This will continue for about 20 or so posts as both sides try to justify violence because of things that happened 30, 60, 100, or 5000 years ago; apparently in the middle east the moral high ground of a situation is inherited from your parents. I've really never understood that.

        Anyways, I've now said EVERY SINGLE THING every partisan in this argument has ever said and will ever say, so you can all just STFU.

        • Re:Tinfoil alarm! (Score:4, Informative)

          by LizardKing (5245) on Friday October 03 2003, @10:07AM (#7124036) Homepage

          Please check your history before you post. The Palestinians did not come into existence until 16 years after the British handed over 1/3 of what the UN resolution required to form present-day Israel.

          That's either amazing ignorance you've got there, or just the most blatant bit of lying I've seen on Slashdot for days. The "protectorate" of Palestine existed between the two world wars, and was effectively a colony of the British Empire. Jewish immigration increased dramatically during this period, a result of increased interest in Zionism, itself largely a result of anti-Jewish activity in Europe.

          Palestine may not have been an independent nation state, but the Palestinian people had existed as a distinct race since biblical times when the Semitic tribes split along religious grounds. Remember that Jews and Palestinians are both Semitic races.

          Israel was created following the even bigger influx of Jewsih refugees after the Second World War. Many of these refugees brought bitter memories of the concenration camps with them, and a willingness to use force to gain a nation state. The British were unable to control the situation, having been effectively bankrupted by the war, and eventually pulled out after increased bombings of their official buildings, etc. The result was bloodshed, as the Jewish militias ehnically cleansed large parts of Palestine. Pretty ironic considering the background to the Jewish desire for a nation state.

          Chris

  • Good thing it wasn't email (Score:5, Interesting)

    by Nick of NSTime (597712) on Friday October 03 2003, @09:34AM (#7123660)
    If I had received this in my Inbox, I probably would have ignored it. It's interesting that I'm conditioned (brainwashed?) to ignore this stuff when it's in an email, but when I read it on /. I take it seriously.

    • Re:Good thing it wasn't email (Score:5, Funny)

      by chicoy (305673) on Friday October 03 2003, @09:59AM (#7123931) Homepage
      If I had received this in my Inbox, I probably would have ignored it. It's interesting that I'm conditioned (brainwashed?) to ignore this stuff when it's in an email, but when I read it on /. I take it seriously.

      you must be new here.

  • Not surprising (Score:5, Funny)

    by skryche (26871) on Friday October 03 2003, @09:34AM (#7123662) Homepage
    What about the terrible GUI? That's the real crime here!

  • they'll be more than glad... (Score:5, Interesting)

    by fred ugly (125371) <fugilyfred&hotmail,com> on Friday October 03 2003, @09:35AM (#7123672)
    to hear our comments. http://www.earthstation5.com/contact.html [earthstation5.com]

  • Methods known (Score:4, Interesting)

    by Doesn't_Comment_Code (692510) on Friday October 03 2003, @09:36AM (#7123682)
    Well, even if these guys are backstabbers (which apparently they are) they've disclosed their methods. And that should allow for a somewhat speedy recoding of a similar program that doesn't include screw_up_my_file(char* filename).

    Seriously, it was good theory, but they didn't have anything earthshattering that couldn't be replicated.

    I'll be watching for anything more that is discovered about motives. This seems to be the most curious and intriguing part of the story.

  • Battlestations... (Score:4, Insightful)

    by finalnight (709885) on Friday October 03 2003, @09:36AM (#7123685)
    This mofos were the ones behind the summer DoS attacks on all the big BT sites, and now this. Gentlemen, start your cracking...

  • Unconfirmed, as of yet. (Score:5, Informative)

    by caferace (442) <caferace@gm[ ].com ['ail' in gap]> on Friday October 03 2003, @09:36AM (#7123689) Homepage
    This came across the FD list yesterday afternoon. Typically, an announcement of this type would elicit a fair amount of discussion. Usually at leat *one* other person would have confirmed it, or at least rebutted the claim.

    As of this writing, I haven't seen a single follow-up post.

    Is it true? I don't know, Is it a hoax? I don't know that either. It has more than a few caveats about using the exploit, that's for sure.

    What I do know is that that Geocities site with the exploit code will disappear bandwidth constrained faster than snot. :)

    • I downloaded es5us.exe from their download page just a few minutes ago and got a completely different build number. I tried the exploit code and all of the test cases failed. I'm not even sure where that beta URL came from. I've never used E5 before, so I can't test it on an older copy -- or even validate those versions exist.

  • A complicated world (Score:4, Funny)

    by TopShelf (92521) * on Friday October 03 2003, @09:37AM (#7123700) Homepage Journal
    Wait a minute, I thought these guys were anti-MPAA and anti-RIAA, meaning they can only be powerful forces for good!

    Arggggghhhhh

    Binary world-view is breaking down as we speak...

  • Earthstation 5 sounds like... (Score:5, Funny)

    by vudufixit (581911) on Friday October 03 2003, @09:37AM (#7123701)
    A bad UPN science fiction series.

  • Indulging in paranoid speculation - tinfoil alert (Score:5, Insightful)

    by Badgerman (19207) on Friday October 03 2003, @09:38AM (#7123714)
    Tinfoil hat on . . .

    Let's say ES5 is an MPAA/RIAA front to discredit file sharing and harm filesharers.

    Now, apparently, ES5 is in Palestine.

    What better way to do "double damage" than to not only have a way to attack filesharers, but also to connect it to a location people associate with terrorism?

    OK, tinfoil hat off now.

  • If you use a computer (Score:5, Insightful)

    by ruiner13 (527499) on Friday October 03 2003, @09:38AM (#7123718) Homepage
    I'm sure everyone has at least seen one article where they tell you to NEVER install software from a company you've either never heard of, or don't trust. At this point, the internet has been around long enough that most people realize this, especially if you have data on your machine that is so important that you can't risk getting a virus or a trojan (such as this, apparently) on it. Live by the internet, die by the internet. Just because someone claims to be against the RIAA doesn't make them your friend. Just because someone is against SCO, doesn't make them about free software rights. There are such things as self-serving deeds, even if they appear to be good gestures to all.

  • Dateline "Jenin, West Bank?" (Score:4, Funny)

    by Anonymous Coward on Friday October 03 2003, @09:39AM (#7123721)
    Rest assured, brothers, your files have not been deleted; they have been martyred and are currently being serviced by 72 virgins.

  • Also look out for these P2P programs... (Score:3, Funny)

    by Anonymous Coward on Friday October 03 2003, @09:39AM (#7123725)
    Deep Space 9
    Babylon 5
    The Dagobah System

  • Not a buffer overflow? (Score:5, Insightful)

    by Durzel (137902) on Friday October 03 2003, @09:40AM (#7123744) Homepage
    I'm curious - how can it be determined without the benefit of source code for ES5 that the exploit isn't just a horrendous oversight instead of a malicious pre-meditated function of the software?

    If it is malicious it seems odd that they would make it possible for ANYONE to delete someone elses files through crafted search strings, thus significantly increasing the chance of their nefarious plans being uncovered.

    If it were me, and I was secretly working for the RIAA, I'd just code in a simple client/server protocol that the RIAA could use to delete people's files, entirely seperate from the normal operation of the program itself. This would be much harder to identify as malicious code.

    Sorry, but this just looks to me like a bad "failure to chroot()" bug and not the big conspiracy theory its purported to be...

    • Re:Not a buffer overflow? (Score:5, Insightful)

      by Viol8 (599362) on Friday October 03 2003, @10:00AM (#7123949)
      "I'm curious - how can it be determined without the benefit of source code for ES5 that the exploit isn't just a horrendous oversight instead of a malicious pre-meditated function of the software?"

      Even in assembler its not too hard to see when an operation is a bug resulting from jumping to a bit
      of code when some unexpected events coincide and jumping to the same bit of code when a SPECIFIC packet arrives.

    • I'm curious - how can it be determined without the benefit of source code for ES5 that the exploit isn't just a horrendous oversight instead of a malicious pre-meditated function of the software?

      Well, I'm curious - what more proof do you want?

      The FD post made it clear that a particular function of the ES5 software ("0Ch, sub-function 07h") caused the behaviour. That's a completely separate function that seems to have the sole purpose of deleting files remotely. The likelyhood of such code ever getting

      • Having worked at a small software company, I'll speculate.

        This could have been added as an "internal" feature and forgotten about it. It could have been added by one un-professional programmer, unbeknownst to the rest of the group. It could be in there on purpose, and the team is naive enough to believe it'll never get abused. It could be in there on purpose because they want it there and they don't care about the ramifications. And finally, it could be there because they have plans to use it some day
      • You're obviously not a coder.

        A buffer overflow involves, guess it, overflowing a buffer. Putting a different byte in the command field of a packet -- without any changes in length -- is absolutely not a buffer overflow.

        Jumping to a delete routine based on what's in that byte is not a "deliberate mistake".

        As nice as it would be to do a bit of wishful thinking -- as a professional coder, I can state this behaviour was clearly intentionally added.

  • IT'S A TRAP! (Score:5, Interesting)

    by teamhasnoi (554944) * <teamhasnoi@@@yahoo...com> on Friday October 03 2003, @09:44AM (#7123784) Homepage Journal
    It sounds interesting - any /.ers try the exploit out yet?

    The first place I heard about E5 was on Slashdot, in a sig - I thought about trying it out, but something didn't seem quite right.

    Too much flash and cash on the website, and sweeping claims that hadn't made it elsewhere turned me off.

    I'm thinking it's the same 'spidey sense' that goes off when I get an email with an evil attachment.

  • Verify the presence of malware (Score:5, Funny)

    by Bingo Foo (179380) on Friday October 03 2003, @09:44AM (#7123791)
    $ grep "rm" ~/W4R3Z/es5
    Binary file ~/W4R3Z/es5 matches
    $

  • Anagram conspiracy theory (Score:5, Funny)

    by mblase (200735) on Friday October 03 2003, @09:46AM (#7123813)
    Did you know that you can rearrange the letters of "EARTHSTATION FIVE" to spell "RIAA VOTES IN THEFT"?

    They're behind the whole thing, I'm telling you.

  • Heres the trojan code (Score:5, Informative)

    by ghost1 (713051) on Friday October 03 2003, @09:47AM (#7123830)
    Link to Zeropaid discussion with the actual code http://www.zeropaid.com/news/articles/auto/1002200 3i.php

  • What's the big deal? (Score:3, Funny)

    by Giant Ape Skeleton (638834) on Friday October 03 2003, @09:58AM (#7123927) Homepage
    It's not a bug, it's a *feature* !

    ;-)

  • It could happen with any closed source software.. (Score:3, Informative)

    by pirhana (577758) on Friday October 03 2003, @09:59AM (#7123940)
    This is a good example which shows again and again that any closed source is inherently not trustable. When you are installing a proprietory software, you are basically trusting them not to screw you up or put any back door. Nobody has any guaranty that windows or any other closed source software is free of this issue. Safe bet is to stick with open source software exclusively.

      • Re:A bit tired of this argument... (Score:4, Insightful)

        by pirhana (577758) on Friday October 03 2003, @11:46AM (#7125040)
        Let me clarify my point. Have you ever heard of any back doors in any open source software ? very less(if at all any). Now, have you heard of any back doors in commercial softwares ? Many. Just compare the P2P applications itself. Many of the closed source ones were alleged to have spywayre, backdoors etc(Kazaa and now this one for example). Was there a single case of such incident in open source alternatives ? I dont think so. So my point is that, the chance to find a back door in an open source software is close to zero. But thats not the case in closed source ones. Untill and unless proven otherwise by incidents, this argument will remain valid. I will not say that open source software is panacea or anything like that . But they are inherently more OPEN and transparant. In closed source software , you are trusting a SINGLE company which is not a good idea IMHO.

  • Finally, something I know about... (Score:3, Informative)

    by wingnut2600 (657362) on Friday October 03 2003, @10:00AM (#7123952)
    I heard about this yesterday from a posting by Random Nut (the individual that discovered this exploit as well as earlier security holes in Kazaa) on Zeropaid.com (forum link: http://www.zeropaid.com/bbs/showthread.php?t=15259 ).

    The security exploit is being tested by members of the p2p community and has been shown to be a viable exploit (forum link: http://www.p2pforums.com/viewtopic.php?p=20323#203 23)

    The operators of ESV have been slow to directly answer questions regarding this exploit:(http://forums2.es5.com/index.php?act=ST&f =40&t=5645&s=1ec6bf29bb73061ed185cbc3018f04b8) . Registration required to view forums, but it is worth it! The ESV forums are interesting since they make allegations of other site's involvement with the RIAA, MPAA, etc. yet have included a questionable exploit in their own software. These forums are rife with rhetoric and double-talk of Orwellian proportions.

  • punish them... (Score:3, Funny)

    by Doobian Coedifier (316239) on Friday October 03 2003, @10:30AM (#7124281)
    ...with their next bandwidth bill:

    $ wget -O /dev/null http://download.es5.com/es5us.exe

  • I was suspicious (Score:3, Insightful)

    by techsoldaten (309296) on Friday October 03 2003, @10:41AM (#7124392) Homepage Journal
    I was suspicious of this project from the beginning. The way they market their product, promising immediate access to copyrighted items, was just too rosy and would leave any company wide open for litigation. This passage in the announcement pretty much sums up my take on the whole affair:

    "The question then is 'why did they do it?' I'm sure they won't tell us, but here's a theory: They could be working for the RIAA, MPAA, or a similar organization. Once they have enough users on their ES5 network, they would start deleting all copyrighted files they own which their users are sharing. The users wouldn't know what hit them."

    Can anyone come up with a plausible scenario where a P2P company would release software that destroys a computer, if it is not connected somehow to these groups?

  • Called it. (Score:4, Insightful)

    by 72beetle (177347) on Friday October 03 2003, @10:46AM (#7124445) Homepage
    Told ya. [slashdot.org]

    -72

  • RIAA/MPAA "honeypot" (Score:5, Informative)

    by raresilk (100418) <raresilk AT mac DOT com> on Friday October 03 2003, @01:22PM (#7126145)
    When Slashdot initially ran the Earthstation V article, I posted a warning that this looked an awful lot like an RIAA/MPAA "honeypot" to me. Everybody ignored me, because they were too busy giving high-fives to Earthstation for bravely taking on the RIAA, etc. Now we learn that Earthstation has exactly the "feature" the Content Mafia would put in a honeypot - the ability to delete content off of your machine. I guess all of us (or at least some of us) are as gullible as the Content Mafia think we are.

    • Um.... $2.00 doesn't cover the hardware costs of producing a professional cd. If your requests are unresonable, don't be surprised when they're not met.

      On the other side of that, $16-20 is unreasonable. $10 would be fair, I think. Considering the hours spent in the studio recording, AFM scale per musician per song being $50 (and that's for low grade musicians), the cost of a decent engineer, cost of using a decent studio (that's not cheap), mastering costs... Then you've got to either spend $$ on an
        • You're too right about the price staying where it is. And having been a recording artist, I can say that a run of a brick of CD's (1000) costs about $4 per when you want it to be nice and professional. That's just the material costs. Also, there's a $0.015 (unfairly low.. they haven't had a raise since the 50's) per song fee to songwriters, the artist generally get's close to $1 per cd sold (that's fair I think). The rest goes to the label for all their "hard work."

          For expected gold-platinum cd's, $8

    • Re:Now tell the bastards what you think! (Score:5, Interesting)

      by nucal (561664) on Friday October 03 2003, @09:54AM (#7123886)
      This WHOIS just looks incredibly fake to me ...

      earthstation5.com Back-order this name

      Domain EARTHSTATION5.COM

      Date Registered: 2/26/2002
      Date Modified: 6/13/2002
      Expiry Date: 2005-2-26
      DNS1: ns1.earthstationv.com
      DNS2: ns2.earthstationv.com
      Registrant

      Earthstationv Ltd, A Palestinian Corporation
      Jenin refugee camp #23
      Jenin (PS)
      NONE

      Administrative Contact

      EarthstationV Ltd., A Palestinian Corporation
      Mr Domain Administrator
      Jenin refugee camp #23
      Jenin (PS)
      NONE
      067351065
      67351065
      ras@earthstationv.com
      Technical Contact
      EarthstationV Ltd., A Palestinian Corporation
      Mr Domain Administrator
      Jenin refugee camp #23
      Jenin (PS)
      NONE
      067351065
      67351065
      ras@earthstationv.com
      Registrar: NameScout.com

      • Re:Now tell the bastards what you think! (Score:5, Informative)

        by Anonymous Coward on Friday October 03 2003, @11:24AM (#7124813)

        The *maintainer* of Earthstation V's domain record is fom Israel. I do not know what this signifies.

        To see this, go here [ripe.net] and click on the mnt-by ("maintained by") link.

        person: Moshe Maimone
        address: 63 Saudia Gaon
        Hertzlya, Israel
        phone: +39247585
        nic-hdl: MM9905-RIPE
        mnt-by: SPEEDNET-MNT
        changed: Speednet@email.com 20030508
        source: RIPE

        person: Motti Oran
        address: 25 Hasivin Street
        Petach Tikva, Israel 49170
        phone: +039247585
        fax-no: +039247736
        mnt-by: SPEEDNET-MNT
        notify: speednet@email.com
        e-mail: motti@speed-net.com
        nic-hdl: MO2551-RIPE
        changed: speednet@email.com 20030105
        source: RIPE

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.